mirror of
https://github.com/moparisthebest/pacman
synced 2024-12-23 00:08:50 -05:00
pacman-key: rework and document holding keys in keyring
The HoldKey option was undocumented and was not suited for pacman.conf. Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list of keys not to be removed from the pacman keyring with the --populate option. Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
parent
29dede2eb7
commit
e1b9f7b300
@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid
|
|||||||
PGP keys used in the signing of its packages and repository databases that can
|
PGP keys used in the signing of its packages and repository databases that can
|
||||||
be readily imported into the pacman keyring. This is achieved by providing a
|
be readily imported into the pacman keyring. This is achieved by providing a
|
||||||
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
||||||
directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
|
directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
|
||||||
provided containing a list of revoked key IDs for that keyring. These files are
|
provided containing a list of revoked key IDs for that keyring. These files are
|
||||||
required to be signed (detached) by a trusted PGP key that the user must
|
required to be signed (detached) by a trusted PGP key that the user must
|
||||||
manually import to the pacman keyring. This prevents a potentially malicious
|
manually import to the pacman keyring. This prevents a potentially malicious
|
||||||
repository adding keys to the pacman keyring without the users knowledge.
|
repository adding keys to the pacman keyring without the users knowledge.
|
||||||
|
|
||||||
|
A key being marked as revoked always takes priority over the key being added to
|
||||||
|
the pacman keyring, regardless of the keyring it is provided in. To prevent a
|
||||||
|
key from being revoked when using --populate, its ID can be listed in
|
||||||
|
+{sysconfdir}/pacman.d/gnupg/holdkeys+.
|
||||||
|
|
||||||
See Also
|
See Also
|
||||||
--------
|
--------
|
||||||
|
@ -232,17 +232,15 @@ populate_keyring() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# List of keys that must be kept installed, even if in the list of keys to be removed
|
# Read list of keys that must be kept installed and remove them from the list
|
||||||
local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"
|
# of keys to be removed
|
||||||
|
if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then
|
||||||
# Remove the keys that must be kept from the set of keys that should be removed
|
while read key; do
|
||||||
if [[ -n ${HOLD_KEYS} ]]; then
|
|
||||||
for key in ${HOLD_KEYS}; do
|
|
||||||
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
|
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
|
||||||
if [[ -n "${removed_ids[$key_id]}" ]]; then
|
if [[ -n "${removed_ids[$key_id]}" ]]; then
|
||||||
unset removed_ids[$key_id]
|
unset removed_ids[$key_id]
|
||||||
fi
|
fi
|
||||||
done
|
done < "${PACMAN_KEYRING_DIR}/holdkeys"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Remove the keys not marked to keep
|
# Remove the keys not marked to keep
|
||||||
|
Loading…
Reference in New Issue
Block a user